CVE-2009-1760: libtorrent Arbitrary File Overwrite

This bug was discovered by Dimitris Glynos and I have to admit that I’m really sad for seeing Greek people moving to the other side like that. Anyway, libtorrent is a popular open source BitTorrent implementation. This issue affects libtorrent up to 0.14.3 release. Here is the buggy code from that release:

This function is used to extract a file from the .torrent file as it is implied by its name. What D. Glynos noticed is that the only check being performed at each entry (p->list_at(i)->string_value()) is just against “..” string. Because of this, an attacker is able access any file of the system using relative paths. D. Glynos gave an example in his advisory. To fix this they added a new function:

5 Responses

What is meant by “moving to the other side”? The guy saw a vulnerability and RESPONSIBLY disclosed it. While you may have your views on vulnerability disclosure, once a person (or group of persons) find a vuln, they are free to do as they please with it. Please try to keep this useful resource non-opiniated.
If I am missing the point, feel free to enlighten me :-)

Of course he can do whatever he wants with that vulnerability since he discover it. Nevertheless, I am not a supporter of full disclosure and in my opinion it is sad and disappointing to see people that know a couple of things about security moving to the whitehat side. That’s what I meant.
I usually don’t comment about my positions regarding the authors but this guy is Greek and I feel shame for that.

Agreed with “choosing”, much wiser choice of words. Still, it is his call, as it is your call (or mine or whoever else) to follow a respective lifestyle that affects decisions like that. Let’s not keep beating a dead horse.